What is NIS2? A quick recap
NIS2, adopted at the end of 2022, repeals the 2016 NIS Directive. it is vastly more ambitious than the 2016 NIS both in the range of business sectors it will directly impact and in the cultural change it is designed to produce.
One of its goals is to make the proactive management of cyber-risks a core competence and key priority for senior management across business sectors as diverse as healthcare, vehicle manufacturing, transport or waste management, to name a few. It enables (and in some instances, requires) stringent penalties in the form of multi-million-euro fines for businesses and potential personal liabilities for senior management for demonstrable failure to comply.
In other words, it is intended to trigger for many large businesses, a cultural change in boardrooms as in overall operations – applying across a vastly greater range of sectors than the original NIS.
NIS2 is also intended to lay the foundations for a regime of ongoing cooperation and information-sharing between economic actors and government administrations for the management of cyber-risks across the European single market. To do so, it creates new bodies and extends the role of existing ones – particularly ENISA. The network of CSIRTs at operational level and the NIS Cooperation Group at strategic level are key elements of this new architecture.
Do not wait for national transposition to pay attention
Because NIS 2 is a directive, it is primarily addressed to member states. As a general principal, the requirements set out in a directive only take full effect once transposed in national law and so far only Belgium and Croatia have done so. But the deadline for member states to transpose the Directive is fast approaching. By 17 October 2024, EU Countries should have transposed the directive into national law. This includes introducing the legal mechanisms to impose the – substantial – minimum fines in those countries where national law does not yet allow for administrative fines.
Does NIS2 concern your organisation?
Many organisations now fall under the direct scope of NIS2. The determination will be made at national level but annexes to the law already provide a list of sectors and functions (using the NACE2 nomenclature). Every business organisation other than SMEs, which activities fall under one of those categories will potentially belong to this in-scope group. In addition, several digital sector operators and others already in scope for NIS are also added regardless of size.
The first formal indication will come in a few months, when you receive a questionnaire from the authorities of the member state(s) in which you operate. Governments are expected to draw the list and send it back to the European Commission by April 2025. The list will be updated every two years thereafter. NIS2 empowers the Commission to issue updates on these criteria in future years. We can also expect a fair amount of activity from the European Commission in the form of implementing regulations over the next few months
If you do not belong to those directly targeted by NIS2 requirement as interpreted by national laws, you may still experience the “secondary level” effects of NIS2. This is especially likely if you are a supplier and/or contractor of organizations directly in-scope since the duty to proactively manage cyber and physical risks to their operations includes a heightened scrutiny of supply-chain related risks.
How we can help you prepare
Risk management strategy: We can help you develop your risk management strategy which will become a requirement under NIS2
Training: asvin can offer training to C-level and board members, which will also become a requirement[1] after NIS2 is transposed into national legislation – As a reminder, deadline for transposition is 17 Oct. 2024.
- [1] CHAPTER IV CYBERSECURITY RISK-MANAGEMENT MEASURES AND REPORTING OBLIGATIONS Article 20 Governance
Risk by Context™ : We can customise and implement our Risk-by Context solution which identify risks and automate prioritized interventions across all your plants regardless of geographical locations.
SECTORS OF HIGH CRITICALITY – Source: NIS2 Annex 1
OTHER CRITICAL SECTORS – Source: NIS2 Annex II
Author: Gaelle Le Gars